21st Century Confidence Scheme: How the Increasingly Popular Social Engineering Hack Can Be Prevented
A Confidence Scheme for the Technology Age
With the increasing complexity of hardware and software based cyber security, social engineering is once again gaining popularity among groups of hackers looking to infiltrate protected systems. Social engineering never really went away, but with industry professionals continually improving cyber security systems, it’s once again becoming the easiest method of entry for malicious individuals.
At a basic level, social engineering is the most simple and preventable form of “hack” security administrators will face. These attacks involve assailants attempting to gain key information such as passwords, security-question information, or personal information from unsuspecting victims. This results in a wide range of potential cyber attacks, including phishing emails, spear-phishing, and confidence schemes. Oftentimes, the easiest method of entry into a secure system is to simply walk in holding the key. Social engineering is the method through which that key is obtained.
Social Engineering Attacks on the Rise
Affecting organizations of every size, from the Director of National Intelligence, to the retail giant Walmart, social engineering can affect anyone. A recent survey shows that a whopping 60 percent of security administrators say they have been targeted by social engineering frauds.
Types of Attacks and How to Prevent Them
The most popular method of gaining key information, phishing emails, is also the easiest to prevent. This kind of attack involves sending an email asking for important personal information, sometimes even passwords themselves, via email made to look authentic. An example of this would be an e-mail appearing to come from a user’s bank asking for date-of-birth and social-security number. Sometimes these e-mails will contain links that lead to legitimate looking websites asking for even more info like passwords and usernames. In order to prevent phishing emails, systems administrators can set up phishing filters for company email accounts, use trusted web-security software, and instruct employees on how to spot these easily preventable attacks. Like with many cyber-security threats, in order to prevent phishing emails security leaders must raise awareness and knowledge of these kinds of attacks to users at every level of the system.
Phishing schemes aren’t limited to being performed by e-mail, and administrators should be aware the most effective phishing schemes are often performed in-person or over the phone. Educating employees on security practices and the need to protect their passwords and personal information will help protect organizations from being breached. Perform a security assessment and ensure guidelines are in place to help combat these simple but effective attacks.
Mitigating Risk
Users should be warned against providing any information without first verifying the identity of the person asking for it. E-mails asking for personal info of any kind should be verified in-person or over the phone to ensure its legitimacy. Passwords themselves should never be given out freely; if a password reset is needed that can be performed without the need for the password itself to be revealed. Implementing a policy that states administrators will never ask users for their passwords helps reinforce this point. Likewise, personal information, especially social-security numbers and the potential answers to “security-questions,” should never be revealed, particularly over e-mail or the phone. Users should also be instructed to be careful in their web-browsing and double-check to make sure sites they are browsing are secure.
Prevention Begins with the End User
Like many security threats, preventing social engineering frauds begins and ends with the user. A system is only as secure as the weakest link in the chain, and the weakest link of any security system is always the people who are accessing it. The best way to counteract these easily avoidable breaches is with knowledge, thorough instruction, and strict implementation of security practices for employees at every level. A regular security assessment and reviews of employees’ daily web practices will help tighten security at a company-wide level and help prevent critical loss of information or unwanted access to secure systems by these malicious cyber attacks.